summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Metzler <ametzler@debian.org>2011-01-24 19:01:39 +0000
committerAndreas Metzler <ametzler@debian.org>2011-01-24 19:01:39 +0000
commit938026ce70f42942cb1b270e366aaae3fd64ca35 (patch)
tree8c0ce18cb0b800001a98769fb4233674fc7e0c4d
parentbb3b6416782cb043e3ca854faf0144a53d6437cb (diff)
parentb458d83572a03ac9b28cb0a997318254812e2362 (diff)
downloadexim4-4.69-9+lenny3.tar.gz
[svn-buildpackage] Tagging exim4 4.69-9+lenny34.69-9+lenny3
svn path=/exim/tags/4.69-9+lenny3/; revision=2565
-rw-r--r--debian/changelog18
-rw-r--r--debian/patches/00list2
-rwxr-xr-xdebian/patches/80_4.74_CVE-2011-0017.dpatch112
-rwxr-xr-xdebian/patches/80_4.74_deliverylogging.dpatch31
4 files changed, 158 insertions, 5 deletions
diff --git a/debian/changelog b/debian/changelog
index 994b064..27ddbad 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,16 @@
-exim4 (4.69-9+lenny3) UNRELEASED; urgency=low
-
- * NOT RELEASED YET
-
- -- Andreas Metzler <ametzler@debian.org> Thu, 06 Jan 2011 13:25:18 +0100
+exim4 (4.69-9+lenny3) stable-security; urgency=low
+
+ * 80_4.74_CVE-2011-0017.dpatch (Pulled from upstream git): Check return
+ values of setgid/setuid. This is a privilege escalation vulnerability
+ whereby the Exim run-time user can cause root to append content of the
+ attacker's choosing to arbitrary files.
+ * 80_4.74_deliverylogging.dpatch (Pulled from upstream git): If a non-debug
+ daemon was invoked with a non-whitelisted macro, then logs from after
+ attempting delivery would be silently lost, including for successful
+ delivery. This log-loss bug was introduced as part of the security
+ lockdown for fixing CVE-2010-4345. Closes: #610611
+
+ -- Andreas Metzler <ametzler@debian.org> Mon, 24 Jan 2011 19:31:06 +0100
exim4 (4.69-9+lenny2) stable-security; urgency=high
diff --git a/debian/patches/00list b/debian/patches/00list
index 8441a55..879f2cb 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -21,5 +21,7 @@
80_4.73rc1_6_nonroot_system_filter_user.dpatch
80_4.73rc1_7_filter_D_option.dpatch
80_4.73rc1_8_updatedocumentation.dpatch
+80_4.74_CVE-2011-0017.dpatch
+80_4.74_deliverylogging.dpatch
81_pool_reset_issue.dpatch
82_string_format_overflow.dpatch
diff --git a/debian/patches/80_4.74_CVE-2011-0017.dpatch b/debian/patches/80_4.74_CVE-2011-0017.dpatch
new file mode 100755
index 0000000..b618547
--- /dev/null
+++ b/debian/patches/80_4.74_CVE-2011-0017.dpatch
@@ -0,0 +1,112 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 80_4.74_CVE-2011-0017.dpatch by Phil Pennock <pdp@exim.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Check return values of setgid/setuid.
+## DP:
+## DP: CVE-2011-0017
+## DP: One assertion of the unimportance of checking the return value was
+## DP: wrong in the event of a compromised exim run-time user.
+## DP: 1670ef10063d7708eb736a482d1ad25b9c59521d
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' exim-4.69~/build-tree/src/exim.c exim-4.69/build-tree/src/exim.c
+--- exim-4.69~/build-tree/src/exim.c 2011-01-24 19:12:39.000000000 +0100
++++ exim-4.69/build-tree/src/exim.c 2011-01-24 19:14:35.000000000 +0100
+@@ -1412,7 +1412,7 @@
+ int filter_sfd = -1;
+ int filter_ufd = -1;
+ int group_count;
+-int i;
++int i, rv;
+ int list_queue_option = 0;
+ int msg_action = 0;
+ int msg_action_arg = -1;
+@@ -1744,8 +1744,20 @@
+
+ if (real_uid == root_uid)
+ {
+- setgid(real_gid);
+- setuid(real_uid);
++ rv = setgid(real_gid);
++ if (rv)
++ {
++ fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
++ (long int)real_gid, strerror(errno));
++ exit(EXIT_FAILURE);
++ }
++ rv = setuid(real_uid);
++ if (rv)
++ {
++ fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
++ (long int)real_uid, strerror(errno));
++ exit(EXIT_FAILURE);
++ }
+ }
+
+ /* If neither the original real uid nor the original euid was root, Exim is
+@@ -3945,7 +3957,28 @@
+
+ /* When we are retaining a privileged uid, we still change to the exim gid. */
+
+-else setgid(exim_gid);
++else
++ {
++ int rv;
++ rv = setgid(exim_gid);
++ /* Impact of failure is that some stuff might end up with an incorrect group.
++ We track this for failures from root, since any attempt to change privilege
++ by root should succeed and failures should be examined. For non-root,
++ there's no security risk. For me, it's { exim -bV } on a just-built binary,
++ no need to complain then. */
++ if (rv == -1)
++ {
++ if (!unprivileged)
++ {
++ fprintf(stderr,
++ "exim: changing group failed: %s\n", strerror(errno));
++ exit(EXIT_FAILURE);
++ }
++ else
++ debug_printf("changing group to %ld failed: %s\n",
++ (long int)exim_gid, strerror(errno));
++ }
++ }
+
+ /* Handle a request to list the delivery queue */
+
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' exim-4.69~/build-tree/src/log.c exim-4.69/build-tree/src/log.c
+--- exim-4.69~/build-tree/src/log.c 2007-08-22 12:10:23.000000000 +0200
++++ exim-4.69/build-tree/src/log.c 2011-01-24 19:14:35.000000000 +0100
+@@ -343,17 +343,26 @@
+
+ else if (euid == root_uid)
+ {
+- int status;
++ int status, rv;
+ pid_t pid = fork();
+
+ /* In the subprocess, change uid/gid and do the creation. Return 0 from the
+- subprocess on success. There doesn't seem much point in testing for setgid
+- and setuid errors. */
++ subprocess on success. If we don't check for setuid failures, then the file
++ can be created as root, so vulnerabilities which cause setuid to fail mean
++ that the Exim user can use symlinks to cause a file to be opened/created as
++ root. We always open for append, so can't nuke existing content but it would
++ still be Rather Bad. */
+
+ if (pid == 0)
+ {
+- (void)setgid(exim_gid);
+- (void)setuid(exim_uid);
++ rv = setgid(exim_gid);
++ if (rv)
++ die(US"exim: setgid for log-file creation failed, aborting",
++ US"Unexpected log failure, please try later");
++ rv = setuid(exim_uid);
++ if (rv)
++ die(US"exim: setuid for log-file creation failed, aborting",
++ US"Unexpected log failure, please try later");
+ _exit((create_log(buffer) < 0)? 1 : 0);
+ }
+
diff --git a/debian/patches/80_4.74_deliverylogging.dpatch b/debian/patches/80_4.74_deliverylogging.dpatch
new file mode 100755
index 0000000..e9e9794
--- /dev/null
+++ b/debian/patches/80_4.74_deliverylogging.dpatch
@@ -0,0 +1,31 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 80_4.74_deliverylogging.dpatch by Phil Pennock <pdp@exim.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Bug 1071: fix delivery logging with untrusted macros.
+## DP:
+## DP: If dropping privileges for untrusted macros, we disabled normal logging
+## DP: on the basis that it would fail; for the Exim run-time user, this is not
+## DP: the case, and it resulted in successful deliveries going unlogged.
+## DP: b7487bcec431809cb7fc3c2b42fcd607e43d37e7
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' exim-4.69~/build-tree/src/exim.c exim-4.69/build-tree/src/exim.c
+--- exim-4.69~/build-tree/src/exim.c 2011-01-24 19:21:00.000000000 +0100
++++ exim-4.69/build-tree/src/exim.c 2011-01-24 19:21:50.000000000 +0100
+@@ -3418,9 +3418,13 @@
+ and should be used for any logging information because attempts to write
+ to the log will usually fail. To arrange this, we unset really_exim. However,
+ if no stderr is available there is no point - we might as well have a go
+- at the log (if it fails, syslog will be written). */
++ at the log (if it fails, syslog will be written).
+
+- if (log_stderr != NULL) really_exim = FALSE;
++ Note that if the invoker is Exim, the logs remain available. Messing with
++ this causes unlogged successful deliveries. */
++
++ if ((log_stderr != NULL) && (real_uid != exim_uid))
++ really_exim = FALSE;
+ }
+
+ /* Privilege is to be retained for the moment. It may be dropped later,